Skip to content
This repository has been archived by the owner on May 14, 2020. It is now read-only.

Rule 921130: False positive #1609

Open
Taiki-San opened this issue Oct 24, 2019 · 7 comments
Open

Rule 921130: False positive #1609

Taiki-San opened this issue Oct 24, 2019 · 7 comments
Assignees
@franbuehler
Labels
False Positive Meeting Agenda

Comments

@Taiki-San
Copy link
Contributor

Taiki-San commented Oct 24, 2019
edited
Loading

Type of Issue

False positive.

Description

I'm not sure what the regex is trying to do, (I guess matching <html when there is no > forthcoming?) but it instead match any HTML blob, including <html>.
I guess \b was meant not to match if there was a > at the end of the tag but it doesn't work, at least not on RE2.
Therefore, any HTML blob will match, making this rule incredibly noisy.

Confirmation

[x] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.
@Taiki-San
Copy link
Contributor Author

A very similar issue is present in 941140 where it'll match simple things like <body>

@dune73 dune73 mentioned this issue Jan 6, 2020
Closed
@github-actions
Copy link

This issue has been open 120 days with no activity. Remove the stale label or comment, or this will be closed in 14 days

@github-actions github-actions bot added the Stale issue This issue has been open 120 days with no activity. label Feb 22, 2020
@Taiki-San
Copy link
Contributor Author

Same as the others, this one is still valid :)

@dune73
Copy link
Contributor

dune73 commented Feb 24, 2020
edited
Loading

I'm taking it into the agenda for the next chat.

@dune73 dune73 added Meeting Agenda and removed Stale issue This issue has been open 120 days with no activity. labels Feb 24, 2020
@dune73 dune73 mentioned this issue Feb 24, 2020
Closed
@franbuehler franbuehler self-assigned this Mar 2, 2020
@dune73
Copy link
Contributor

dune73 commented Mar 4, 2020

Decision during the CRS project chat on March 2, 2020: @franbuehler will solve this.

#1683 (comment)

@franbuehler
Copy link
Contributor

franbuehler commented Apr 25, 2020
edited
Loading

The rule 921130 is a msg:'HTTP Response Splitting Attack' rule.
I think the regex does exactly what it should do: to detect an html <html or a request line http/1.1 in one of the targets REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*

Rule: https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.3/dev/rules/REQUEST-921-PROTOCOL-ATTACK.conf#L88

So I don't think that the regex is wrong. Maybe the rule is too strict and we have false positives. But the regex is correct.

Are there a lot of false positives?
I don't have false positives in "my applications".

Other opinions?

@Taiki-San
Copy link
Contributor Author

Hey! Thanks for spending time looking into this issue.
We had extreme level of false positives on this one, because this pattern runs on ARGS. Many of our users have applications processing HTML blobs, and this rule will trigger on a large percentage of their requests making it useless.
Moreover, although I understand the role of http/1.1 in an HTTP splitting attack, I don't really get why <html is there.

@CRS-migration-bot CRS-migration-bot mentioned this issue May 13, 2020
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@franbuehler franbuehler

Labels
False Positive Meeting Agenda
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@fgsch @dune73 @Taiki-San @franbuehler